Basis:

The listed controls are identified here and details
of their use are covered throughout the rest of the overarching
architecture and standard of practice.

Access controls: Controls over who and what
can access what.

Addresses: Generally, methods used to lead to
something. Physical and Internet Protocol (IP) addresses are most
commonly discussed, but other sorts exist (e.g., MAC, Ethernet, ...).

Aggregation controls: Controls over the
aggregation of risk, content, etc..

Alert systems: Systems that provide alerts to
people or other systems to cause actions to be undertaken.

Anti-Bad-Content: Any of the many methods for
identifying and dealing with undesired or malicious content.

Application firewalls: Firewalls designed to
work with specific applications, typically by detailed discrimination
based on state and input.

Assistance: Human or automated assistance.

Audit: Internal and/or external reviews
against a standard or defined set of objectives.

Authentication: Methods for verification of
identification of a known mechanism or party.

Backups: Copies made as a protection against
loss or damage to originals.

Certificates: Mechanisms intended to allow the
verification of something about something by someone or something
else. Generally a chain of trust is built in which trust of the
certifying entity is relied upon to trust the person or thing being
certified.

Code validation: Method to determine whether
and to what extent executable content meets its specification.

Computing: Mechanisms used to perform computations.

Configuration controls: Methods and practices
used to control settings of mechanisms to within defined parameters for
the situation.

Control zone: An area defined by the zoning architecture.

Correlation and analysis: Methods that relate
information from different sources to each other and external criteria
and provide output based on those combinations.

DMZ: An areas (demilitarized zone) defined by the zoning architecture.

Deceptions: Methods that induce or suppress
signals to cause altered behavior in targets.

Dedicated lines: Communications media dedicated
to specific users, uses, and/or purposes and not available to other
users, uses, or purposes.

Encryption / Disk encryption / Disk-file
encryption / File encryption: Transformation of content so as to
render it unusable by parties without the necessary knowledge to
reverse or use the result of the transform. In storage this is done by
disk or media, directory area, file, or smaller portions of content.

Fiber: A communications media.

Filters: Mechanisms that examine content and
make determinations about what can pass, what must be altered to pass,
and what cannot pass. Filters may work in any/all directions.

FW / Firewalls: Mechanisms used to prevent
certain traffic from passing from one or more communications media to
one or more others.

GW / Gateways: Mechanisms used to support
access from one location to another when direct access is not
available.

Help desk: Support staff who provide
assistance, typically based on a pre-defined set of assistance
criteria and processes.

Hosting: Provisioning of services, typically
in the form of hardware with configured software, as a service.

Location: Controls that act differently
depending on the location of components.

MAC: Media Access Control address used to
limit computation of interfaces regarding traffic not destined for
their interface.

NAC: Network Address Translation used to allow
multiple (internal / protected) addresses to share one or more
(external / unprotected) addresses with sessions returned to only the
proper protected system and uninitiated sessions not being passed from
the external address(es) to the internal address(es).

Patches: Non-hardware changes to components
made during operation or during reboots or other change control
periods.

Penetration testing: Testing to identify
weaknesses by exploiting those weaknesses.

Perceptions: Interpretation of observed
phenomena by cognitive mechanisms. This ranges over things like
keeping a low profile, appearing to be a hard target, not giving away
intelligence targeting information or intelligence, and so forth.

Perimeters: Separations between areas.

Personnel flow controls: Controls that limit
the movement of people during potentially different periods of
operation.

Proxy: Mechanisms that act on behalf of other
mechanisms or parties, typically be examining information to be passed
on and rewriting that information in a different form elsewhere.

QoS: Quality of Service controls typically to
provide guaranteed minimum service levels.

Query limits: Limitations on the input
sequences allowed to pass to a mechanism that looks up information
based on those input sequences. As a fundamental notion, in order to
meet this condition, input checking as a function of state at each
point where input could cause harm should be done and only known valid
inputs should be allowed to pass. At a minimum such checks should
include minimum and maximum input length and allowed symbols.

RF: Radio Frequency communications media.

Redundancy: Multiple mechanisms that operate
when others of them fail, typically most resilient if separate and
different in as many ways as possible, so as to avoid common mode
failures.

Replay and rollback: Returning to a known
prior state (roll-back) and replaying transactions (replay) to return
a (transaction) system to a sound state without unnecessary data or
state loss.

Reputation: Perceptions of others regarding
suitability for purpose.

Response support: Support services to aide in
response processes.

Risk aggregation controls: Controls that
compensate for risk above threshold in a component by creating a
composite that reduces risks on components.

Roles and rules: Roles are used to associate
people or things with activities and rules are used to associate those
roles with permitted acts.

SMTP: Simple Mail Transfer Protocol services that
support protective functions as a service.

Separation of duties: Methods by which
activities are partitioned so as to limit the consequences associated
with one or more insiders acting against the best interest of the
organization.

Software controls: Mechanisms used to control
the effects of software.

Surveillance systems: Systems that observe
activities that otherwise would not be observable for the purposes of
verifying that those activities are appropriate and for potential
subsequent investigative support.

TCB: Trusted Computing Base, any of several sorts.

TCG: Trusted Computing Group and its Trusted
Platform Module approach to assuring integrity of hardware and software
systems.

TCSEC: DoD's Trusted Computer System
Evaluation Criteria.

CC: The Common Criteria.

Terminal services: Servers typically providing
remote terminal or desktop access to virtual machines that act as an
intermediary in accessing internal systems of an area from systems
external to that area.

Testing: Processes intended to determine to
within defined coverage, whether and to what extent protective (or
other) functions operate as they should.

Transaction mechanisms: Mechanisms that take
single atomic (non-severable) acts (transactions) and properly handle them with
consistency and in an atomic manner.

Transforms: Mechanisms that transform from one
form or format to another. Typically encryption, cryptographic
checksums, encoding, compression, and similar methods.

Up-Down: Mechanisms that detect whether or not a
service is apparently operating from a particular vantage point and
report on the state of those services.

VLAN: Virtual Local Area Network presenting
itself as if it were a private local area network even though portions
of the network may not be within the local area or the network may be
shared at the physical level with other local area networks. Typically
augmented with encryption for higher surety when passing through
untrusted locations, and typically controlled with performance
mechanisms to guarantee prioritization or other QoS constraints with
respect to other VLANs in the same infrastructure.

VMs: Virtual Machines, typically booted for
sessions and then shut down when not in use, and usable as temporary
separation mechanisms for periods of processing.

NAT: Network Address Translation, typically
allowing inbound address space to initiate sessions to external
address space but no initiation in the inbound direction. This is
often part of firewalls or similar mechanisms.

VPN: Virtual Private Networks are typically
used to form remote VLANs by encrypting traffic from peering point to
peering point, making it appear as if there is a private network when
the network is physically passing through public (or less private)
infrastructure.

Vulnerability detection: Mechanisms designed
to detect the presence of vulnerabilities, typically by testing for
the presence of the vulnerability of for indicators of those
vulnerabilities.

Wired: Physically connected through electrical wiring.

Wrappers: Programs that intervene between
other programs to "wrap" them in an independent control mechanism.